Cisco Cisco Catalyst 6500 Series Firewall Services Module Release Notes
2
Release Notes for the Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, Software Release 3.2(x)
Important Notes
Important Notes
•
Release 3.2(15) included a caveat fix (CSCsz35702) that caused the FWSM to hang for some
customers (CSCte48563) when using identity NAT. 3.2(16) is identical to 3.2(15) except that caveat
CSCsz35702 remains in an open state to avoid caveat CSCte48563. Caveat CSCsz35702 was
resolved in Release 3.2(17).
customers (CSCte48563) when using identity NAT. 3.2(16) is identical to 3.2(15) except that caveat
CSCsz35702 remains in an open state to avoid caveat CSCte48563. Caveat CSCsz35702 was
resolved in Release 3.2(17).
•
You must install maintenance software Release 2.1(2) or later before you upgrade to FWSM Release
3.2. See the Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module from Release 2.x to Release 3.1 for detailed information about upgrading to 2.1(2).
3.2. See the Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module from Release 2.x to Release 3.1 for detailed information about upgrading to 2.1(2).
•
For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection
or management traffic, the FWSM sets the maximum number of out-of-order packets that can be
queued for a TCP connection to 2 packets, which is not user-configurable. All other TCP
normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
or management traffic, the FWSM sets the maximum number of out-of-order packets that can be
queued for a TCP connection to 2 packets, which is not user-configurable. All other TCP
normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM.
•
You can disable the limited TCP normalization support for FWSM using the no control-point
tcp-normalizer
tcp-normalizer
command.
•
When you log in to the system execution space from the switch in multiple context mode, the System
Execution Space Authentication feature in FWSM Release 3.2(1) lets you use authentication using
a AAA server or local database. Previously, the only method of authentication available was to use
the login password defined in the system configuration. The new authentication method is enabled
by the aaa authentication telnet console command in the admin context. If you upgrade to Release
3.2, and have this command already in the admin context configuration, then authentication for the
system execution space is enabled using the specified server or local database, even if you did not
intend to enable it. To use the login password instead, you must remove the aaa authentication
telnet console command in the admin context.
Execution Space Authentication feature in FWSM Release 3.2(1) lets you use authentication using
a AAA server or local database. Previously, the only method of authentication available was to use
the login password defined in the system configuration. The new authentication method is enabled
by the aaa authentication telnet console command in the admin context. If you upgrade to Release
3.2, and have this command already in the admin context configuration, then authentication for the
system execution space is enabled using the specified server or local database, even if you did not
intend to enable it. To use the login password instead, you must remove the aaa authentication
telnet console command in the admin context.
Upgrading or Downgrading the Software
See the Upgrading the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services
Module from Release 2.x to Release 3.1 for detailed information about upgrading to Release 3.2.
Although the guide discusses upgrading to Release 3.1, the procedures also apply to upgrading to
Release 3.2. You do not have to upgrade from 2.3 to 3.1 first, and then upgrade to 3.2; you can upgrade
directly from 2.3 to 3.2.
Module from Release 2.x to Release 3.1 for detailed information about upgrading to Release 3.2.
Although the guide discusses upgrading to Release 3.1, the procedures also apply to upgrading to
Release 3.2. You do not have to upgrade from 2.3 to 3.1 first, and then upgrade to 3.2; you can upgrade
directly from 2.3 to 3.2.
Downgrading from a 3.2(x) image to a 3.1(x) image is supported when there are no 3.2(x) features
configured. If the BGP stub license is activated, then downgrading to 3.1(1) through 3.1(7) will reset the
activation key (3.1(8) and later is not affected). For example, if your activation key also includes a
50-context license, then resetting the key sets the license to the default 2 contexts.
configured. If the BGP stub license is activated, then downgrading to 3.1(1) through 3.1(7) will reset the
activation key (3.1(8) and later is not affected). For example, if your activation key also includes a
50-context license, then resetting the key sets the license to the default 2 contexts.
Starting with Release 3.2(1), the vendor name in the url-server command changed from n2h2 to
smartfilter. Due to this change, if you downgrade a 3.2 or later image that has the url-server vendor
smartfilter command to a 3.1 image, then the 3.1 image rejects the url-server command. You will have
to re-enter the url-server command using the n2h2 keyword.
smartfilter. Due to this change, if you downgrade a 3.2 or later image that has the url-server vendor
smartfilter command to a 3.1 image, then the 3.1 image rejects the url-server command. You will have
to re-enter the url-server command using the n2h2 keyword.